As the financial services industry awakens to the competitive advantage of driving business value with technology, industry leaders are expanding their view of risk management to include information technology in the complex financial services “riskscape.” This new holistic view of technology risk, which we call Tech Risk 2.0, integrates IT risk management (ITRM) across an organization, breaking down risk governance silos and aligning risk priorities with business goals and objectives, positioning organizations to respond better to a new market defined by cloud, mobile and fintech applications.
For one global financial services organization, the journey to ITRM maturity began with an IT risk director frustrated by the inefficiencies and inconsistencies in the evaluation of IT risk across the organization. The issues arose from the fact that the risk assessment practices in place (PCI, technology changes, project risk, vendor risk, etc.) were misaligned and fragmented, without a common framework or reference to the overall risk picture of the organization. Inconsistencies were present in both the types of risk considered by the various groups and the methodologies used to assess them, but most importantly, in the conclusions about their effect on the organization and the controls considered to mitigate them. In addition, much of the risk assessment was technology-focused and offered little business insight, which made it challenging for management to properly understand and prioritize IT risks at an enterprise level.
Management knew that if the organization was to capitalize on technology-driven business opportunities, it needed to raise the level of its ITRM maturity by instituting an enterprisewide ITRM framework defined by business, rather than technology, goals.
Management understood also that a journey to higher maturity does not happen overnight. It is a cultural and operational evolution that occurs over multiple years, often requiring the assistance of an experienced third party unconstrained by the organizational silos and mindsets that often prevent such change from occurring. To provide this objectivity and expertise, the IT risk group partnered with Protiviti, selecting Protiviti’s IT risk maturity model with which to assess and improve its maturity state.
Transformation began with an initial discovery period to clarify organizational structures, identify stakeholders, document existing processes and envision a future state that takes into account regulatory requirements as well as the company’s technology-enabled business objectives. Discovery was followed by assessments and interviews to glean an understanding of established risk management practices and identify areas for improvement. Using its IT risk index, Protiviti compared the company’s ITRM capabilities to industry best practices, to arrive at a maturity level from which to design the road map for improvement. Once the gaps between the current and desired state were identified, Protiviti developed a list of prioritized observations and recommendations (short and long term) that would serve as a guide to the organization in the transformation process.
Key deliverables from this process included:
The risk framework Protiviti designed helped the firm not only to visualize its ideal end-state but have a clear road map and methodology with which to realize that vision. The framework is business-centric, aligned with the organization’s risk appetite and strategic goals, utilizes technology effectively by removing redundancies, and positions the company for competing in a cloud-enabled world.
For our client, the effort to raise IT risk to the enterprise level was a complex undertaking requiring a lot of focus, energy and commitment to change. Transformation on this scale could never be achieved without strong support at the highest levels of the organization – which in this case was present and steadfast throughout the project. In a recent conversation, a stakeholder at the company said that the work by Protiviti continues to inform the actions of the risk team on its road to ITRM maturity. Protiviti also has remained as a top-tier security partner to the firm.
Though the journey to IT risk maturity has just begun, the financial services company has already achieved its primary objective – a clear view of strong, enterprise-level IT risk management and a well-marked path to get there.